It’s 2024 and the API breaches keep coming

APIs are built specifically to share a company’s most valuable data and services. This makes them a lucrative target for bad actors. We’ve reached the tipping point: APIs are now THE way in. Salt Security’s State of APIs 2024 security report revealed that the number of APIs is on the rise, having increased by 167% in the past year. 95% of respondents have experienced security issues in production APIs, and 23% have experienced a breach. And despite API traffic growth, only 7.5% of organizations have implemented dedicated API testing and threat modeling programs.

Here are some of the top API security breaches of 2024 that underscore the critical importance of effectively securing APIs:

1. Sensitive Message Breach (January 2024): A flawed API led to unauthorized access to 650,000 sensitive messages, exposing passwords and allowing penetration testers to retrieve sensitive data. This breach shows how even a single API error can compromise highly sensitive information.

2. Trello Breach (January 2024): An exposed Trello API compromised the data of over 15 million users by linking private email addresses to Trello accounts. This breach highlights the dangers of poor API security leading to millions of compromised data profiles.

3. Spoutible Data Leak (February 2024): An API vulnerability exposed user data to Spoutible, including bcrypt password hashes. This incident demonstrates the risks of insufficient API security on social media platforms.

4. GitHub Repository Secret Vigilance (March 2024): A breach exposed nearly 13 million API secrets across public GitHub repositories. Businesses were left vulnerable as attackers exploited these credentials to gain unauthorized access.

5. PandaBuy Data Breach (April 2024): Critical vulnerabilities in PandaBuy’s API led to data theft affecting 1.3 million users. This breach highlights the need for strong API access controls to prevent unauthorized access.

6. Dropbox API Key Breach (May 2024): Attackers gained access to Dropbox’s production environment using compromised API keys, exposing customer data and multi-factor authentication (MFA) information .

7. Microsoft Graph API Abuse (May 2024): Hackers increasingly exploited the Microsoft Graph API to establish covert communication channels for malware, leveraging trusted cloud services for malicious purposes.

8. Dell API Breach (May 2024): Dell experienced a breach that affected 49 million customer records due to an API vulnerability where attackers exploited a portal API partners to access fake accounts.

9. RabbitR1 Vulnerability (June 2024): Rabbit R1’s AI wizard had exposed hard-coded API keys in its code, which could allow attackers to access all previous responses given by the wizard .

10. Cox Communications API Breach (June 2024): A vulnerability in the Cox Communications API puts millions of modem configurations at risk, allowing hackers to manipulate network configurations.

If you would like to learn more about Salt and how we can help you on your API security journey through runtime threat discovery, posture management and protection, please contact us , schedule a demo or check out our website.

*** This is a Security Bloggers Network syndicated blog from the Salt Security blog written by Michael Callahan. Read the original post at: https://salt.security/blog/its-2024-and-the-api-breaches-keep-coming